Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan spm/lx - vista. [CLOSED]


  • This topic is locked This topic is locked

#1
piotramp

piotramp

    New Member

  • Member
  • Pip
  • 5 posts
hi!
first time here :)
i hope i won't do anything against rules..
i was looking for some answers, but there in no complete solution for that problem on Vista.
so.. day before yesterday i cought a trojan.. i have looking like windows small boxex saying that's trojan smp/lx. and pop-ups are also a problem here.. oh, and in addition a have now beautiful blue backgrond on my desktop saying that it's spyware and i should get rid of them.. (it scares my btw..). yeah, but how? i have tried several anti-spyware programs (ad-ware, super antispyware free - in safe mode also..), but nothing helped.

here it is what hijack this gave me:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:36, on 2008-03-07
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\sysockeu.exe
C:\Windows\sysodkcs.exe
C:\Windows\sysoghcx.exe
C:\Windows\sysokuaw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEUser.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Piotrek\Desktop\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet

Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" Z
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\Windows\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\Windows\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\Windows\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\Windows\sysokuaw.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Show missed alarms] C:\Program Files\Alarm\Alarm.exe
O4 - HKCU\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03

\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet

Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: *.line6.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0

SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared

Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware

Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32

\ZoneLabs\vsmon.exe

--
End of file - 11795 bytes

i hope i've done everything alright here..
i'm looking forward to hearing from you..
  • 0

Advertisements


#2
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)
  • 0

#3
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
1.
First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.


2.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Do not Run it yet, we will use it later. Save it somewhere you will remember, like your desktop.


3.
Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.


4.
Please open ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


5.
  • IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

  • 0

#4
piotramp

piotramp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
here is that report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:04:40 2008-03-08

+ Scan result:



D:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Gemius : Cleaned.
D:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Ivwbox : Cleaned.
D:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Msn : Cleaned.
D:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Skype : Cleaned.
C:\Users\Piotrek\AppData\Local\Temp\Last.fm-1.4.1.57486.exe -> Trojan.Obfuscated.mu : Cleaned with backup (quarantined).
C:\Users\Piotrek\AppData\Local\Temp\WmpPluginSetup_2.0.29.0.exe -> Trojan.Obfuscated.mu : Cleaned with backup (quarantined).
C:\Users\Piotrek\AppData\Local\Temp\WmpPluginSetup_2.1.0.5.exe -> Trojan.Obfuscated.mu : Cleaned with backup (quarantined).
C:\Users\Piotrek\AppData\Local\Temp\iTunesPluginWinSetup_2.0.13.0.exe -> Trojan.Obfuscated.mu : Cleaned with backup (quarantined).
C:\Users\Piotrek\Downloads\Last.fm-1.3.2.13b.exe -> Trojan.Obfuscated.mu : Cleaned with backup (quarantined).
C:\Users\Piotrek\Downloads\tunebite.exe -> Trojan.Obfuscated.mu : Cleaned with backup (quarantined).


::Report end




i really appreciate your help,
you are great!
  • 0

#5
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Download ComboFix from Here, Here, or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#6
piotramp

piotramp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
combofix log:

ComboFix 08-03-08.2 - Piotrek 2008-03-09 7:23:27.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1250.1.1033.18.273 [GMT 1:00]
Running from: C:\Users\Piotrek\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\fdvch.exe
C:\Windows\system32\Cfx32.lic
C:\Windows\system32\cfx32.ocx

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-06 17:48 . 2008-03-06 17:48 <DIR> d-------- C:\Program Files\Uniblue
2008-03-06 15:25 . 2008-03-06 15:25 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-03-06 15:25 . 2008-03-06 15:25 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-03-06 15:23 . 2008-03-06 15:23 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\SUPERAntiSpyware.com
2008-03-06 15:23 . 2008-03-06 15:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-06 15:02 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-03-06 15:02 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-03-06 15:02 . 2008-02-01 12:55 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-03-06 15:02 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-03-06 15:01 . 2008-03-06 15:01 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\PC Tools
2008-03-06 15:01 . 2008-03-06 17:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-06 14:35 . 2008-03-06 14:43 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:56 <DIR> d-------- C:\Users\All Users\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:56 <DIR> d-------- C:\ProgramData\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:55 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:35 138,752 --a------ C:\Windows\System32\drivers\sp_rsdrv2.sys
2008-03-06 13:58 . 2008-03-06 13:58 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-03-06 13:57 . 2008-03-09 07:10 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-03-06 13:57 . 2008-03-09 07:10 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-03-05 23:53 . 2008-03-05 23:53 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Grisoft
2008-03-05 23:50 . 2008-03-05 23:50 <DIR> d-------- C:\Users\All Users\Grisoft
2008-03-05 23:50 . 2008-03-05 23:50 <DIR> d-------- C:\ProgramData\Grisoft
2008-03-05 23:50 . 2007-05-30 13:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-03-05 23:35 . 2008-03-05 23:35 3,932,214 --a------ C:\Windows\mywallpaper.bmp
2008-03-05 23:30 . 2008-03-05 23:30 35,840 --a------ C:\Windows\sysockeu.exe
2008-03-05 23:30 . 2008-03-05 23:30 32,256 --a------ C:\Windows\sysodkcs.exe
2008-03-05 23:30 . 2008-03-05 23:30 28,672 --a------ C:\Windows\sysokuaw.exe
2008-03-05 23:30 . 2008-03-05 23:30 25,088 --a------ C:\Windows\sysoghcx.exe
2008-03-05 23:30 . 2008-03-05 23:37 20,992 --a------ C:\Windows\sysounrk.exe
2008-03-05 23:30 . 2008-03-05 23:37 3,072 --a------ C:\Windows\ftebh.exe
2008-03-05 23:30 . 2008-03-05 23:37 1,855 --a------ C:\Windows\config.ini
2008-03-05 23:30 . 2008-03-05 23:37 1,409 --a------ C:\Windows\fbdzj.exe
2008-03-05 23:30 . 2008-03-05 23:37 1,272 --a------ C:\Windows\fzmxg.dll
2008-02-27 00:40 . 2008-02-27 00:40 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-02-22 10:01 . 2008-02-22 10:14 <DIR> d-------- C:\Program Files\Opanda
2008-02-21 01:01 . 2008-02-21 01:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-20 22:48 . 2008-02-20 23:03 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Nikon
2008-02-20 22:39 . 2008-02-25 19:52 20 ---h----- C:\Users\All Users\PKP_DLdw.DAT
2008-02-20 22:39 . 2008-02-25 19:52 20 ---h----- C:\ProgramData\PKP_DLdw.DAT
2008-02-20 22:36 . 2008-02-20 22:36 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-02-20 22:35 . 2008-02-20 22:35 <DIR> d-------- C:\Users\All Users\Nikon
2008-02-20 22:35 . 2008-02-20 22:35 <DIR> d-------- C:\ProgramData\Nikon
2008-02-20 22:35 . 2008-02-20 22:39 <DIR> d-------- C:\Program Files\Nikon
2008-02-20 22:35 . 2008-02-20 22:51 <DIR> d-------- C:\Program Files\Common Files\Nikon
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\Users\All Users\Ultima_T15
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\Users\All Users\EnterNHelp
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\ProgramData\Ultima_T15
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\ProgramData\EnterNHelp
2008-02-20 22:34 . 2008-02-25 19:26 20 ---h----- C:\Users\All Users\PKP_DLdu.DAT
2008-02-20 22:34 . 2008-02-25 19:26 20 ---h----- C:\ProgramData\PKP_DLdu.DAT
2008-02-20 02:10 . 2008-02-20 02:10 <DIR> d-------- C:\Program Files\Phun
2008-02-20 02:04 . 2008-02-20 02:05 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Ventrilo
2008-02-15 00:10 . 2008-02-15 00:10 <DIR> d-------- C:\Program Files\Ventrilo
2008-02-14 01:13 . 2008-02-14 01:13 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-14 01:13 . 2008-02-14 01:13 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-14 01:11 . 2008-02-14 01:11 1,585,664 --a------ C:\Windows\System32\setupapi.dll
2008-02-14 01:11 . 2008-02-14 01:11 613,888 --a------ C:\Windows\System32\wpd_ci.dll
2008-02-14 01:11 . 2008-02-14 01:11 558,080 --a------ C:\Windows\System32\oleaut32.dll
2008-02-14 01:11 . 2008-02-14 01:11 260,096 --a------ C:\Windows\System32\dpx.dll
2008-02-14 01:11 . 2008-02-14 01:11 224,824 --a------ C:\Windows\System32\clfs.sys
2008-02-14 01:11 . 2008-02-14 01:11 221,696 --a------ C:\Windows\System32\umpnpmgr.dll
2008-02-14 01:11 . 2008-02-14 01:11 101,888 --a------ C:\Windows\System32\drvinst.exe
2008-02-14 01:11 . 2008-02-14 01:11 19,456 --a------ C:\Windows\System32\cfgmgr32.dll
2008-02-14 01:11 . 2008-02-14 01:11 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-02-14 01:07 . 2008-02-14 01:07 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-14 01:07 . 2008-02-14 01:07 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-14 01:07 . 2008-02-14 01:07 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-14 01:07 . 2008-02-14 01:07 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-14 01:07 . 2008-02-14 01:07 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-14 01:07 . 2008-02-14 01:07 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-14 01:07 . 2008-02-14 01:07 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-02-14 01:06 . 2008-02-14 01:06 806,400 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-14 01:06 . 2008-02-14 01:06 217,144 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-14 01:06 . 2008-02-14 01:06 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-14 01:06 . 2008-02-14 01:06 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-14 01:06 . 2008-02-14 01:06 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-14 01:05 . 2008-02-14 01:05 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 01:05 . 2008-02-14 01:05 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\peanut

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 06:34 --------- d-----w C:\Users\Piotrek\AppData\Roaming\Skype
2008-03-09 06:11 --------- d-----w C:\Users\Piotrek\AppData\Roaming\skypePM
2008-03-09 06:09 --------- d---a-w C:\ProgramData\TEMP
2008-03-08 22:50 350,468 ---ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-03-06 15:49 351,744 ----a-w C:\Windows\Internet Logs\xDB8C61.tmp
2008-03-06 14:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-04 22:32 --------- d-----w C:\Program Files\Warcraft III
2008-02-28 22:18 1,488,384 ----a-w C:\Windows\Internet Logs\xDB97AC.tmp
2008-02-14 00:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 00:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 00:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 00:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 00:02 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-14 00:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-14 00:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-14 00:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-13 17:35 1,934,478 ----a-w C:\Windows\Internet Logs\tvDebug.zip
2008-02-04 19:11 --------- d-----w C:\ProgramData\Poszukiwacze Zaginionej Warszawy
2008-02-04 18:43 --------- d-----w C:\Program Files\Warszawa
2008-02-03 22:26 --------- d-----w C:\Program Files\AusLogics BoostSpeed
2008-02-03 19:46 --------- d-----w C:\Program Files\Softland
2008-02-03 19:42 --------- d-----w C:\Program Files\FreeMind
2008-02-02 20:20 1,410,560 ----a-w C:\Windows\Internet Logs\xDB8BF4.tmp
2008-02-02 19:00 32 ----a-w C:\Users\All Users\ezsid.dat
2008-02-02 19:00 32 ----a-w C:\ProgramData\ezsid.dat
2008-02-02 18:58 --------- d-----w C:\ProgramData\Skype
2008-02-02 18:58 --------- d-----w C:\Program Files\Skype
2008-02-02 18:58 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-28 06:00 2,715,648 ----a-w C:\Windows\Internet Logs\xDB885A.tmp
2008-01-19 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 15:07 --------- d-----w C:\Program Files\Linksys
2008-01-19 15:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-19 13:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-09 00:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 00:17 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 00:06 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 00:06 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 00:06 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-08 21:33 1,379,328 ----a-w C:\Windows\Internet Logs\xDBE29F.tmp
2007-12-28 23:43 1,366,528 ----a-w C:\Windows\Internet Logs\xDB921E.tmp
2007-12-12 00:09 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 00:09 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 00:09 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-08-30 04:18 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 13:35 2159104 C:\Windows\System32\oobefldr.dll]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2005-09-03 14:18 94208]
"Show missed alarms"="C:\Program Files\Alarm\Alarm.exe" [2006-09-12 14:12 253984]
"Network Drive Mapping Utility"="C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" [2007-08-24 10:55 286336]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 11:54 2131392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-23 00:22 1006264]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 15:49 77824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Windows\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10 271360]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-11 22:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-11 22:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-11 22:28 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-04 05:24 960240]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 22:26 68640]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Network Drive Mapping Utility"="C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" [2007-08-24 10:55 286336]
"RegistryMechanic"="" []
"1029BB4B-16A9-4E77-AA3D-96930BD68EEC"="C:\Windows\sysockeu.exe" [2008-03-05 23:30 35840]
"852EBF20-A95D-4F1F-B9C2-B2CD24350F3E"="C:\Windows\sysodkcs.exe" [2008-03-05 23:30 32256]
"756349DC-6D9E-4F2A-9B24-269661F073C3"="C:\Windows\sysoghcx.exe" [2008-03-05 23:30 25088]
"2177F056-0AA6-4D6C-A944-13F71F341C29"="C:\Windows\sysokuaw.exe" [2008-03-05 23:30 28672]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]

C:\Users\Piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-06-14 19:39:18 479232]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{F660E819-41D8-457B-8AC5-C030914B6AB0}C:\program files\gadu-gadu\gg.exe"= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"UDP Query User{6C91CB71-A27B-4F49-8954-35FFA4398B5C}C:\program files\gadu-gadu\gg.exe"= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"TCP Query User{7F3B179E-83E4-4E34-BDFC-48D0CDC1F232}C:\program files\gadu-gadu\gg.exe"= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"UDP Query User{B1EC7833-FEFD-4406-A4E6-383987B24817}C:\program files\gadu-gadu\gg.exe"= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"TCP Query User{2C8AADE8-71F7-42BC-B0B7-DA00C50D0E0F}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{8FC3C74F-C1F1-4ECB-9D16-3B01B3C04905}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{A6439DEE-64D3-4EDB-BEA2-0CEF2274AD59}C:\program files\emule\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"UDP Query User{F441AFB9-8050-4A4D-84B5-2EC646131840}C:\program files\emule\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"TCP Query User{58216B4C-23A9-49D9-ACB4-AAA066FB7566}C:\program files\emule\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"UDP Query User{3926461B-43B3-4FD9-B5BB-B0105640F174}C:\program files\emule\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"TCP Query User{45087D7F-BFA0-40AE-8717-6221C3AD26D3}C:\program files\opera\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"UDP Query User{7BF067AB-864C-4383-9063-E97D0CD845F8}C:\program files\opera\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"TCP Query User{12C43768-FEB8-42E4-9CFF-BBE239D35D4B}C:\program files\opera\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"UDP Query User{5E2CA1C9-D734-4271-B266-F0ADE6A0A495}C:\program files\opera\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"TCP Query User{91AA4285-FDF7-48A7-AD1C-9B083229CDAE}C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe"= UDP:C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe:rbot.exe|Desc=rbot.exe
"UDP Query User{44385FD4-115D-41FE-AB6F-8EE8A8218D9C}C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe"= TCP:C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe:rbot.exe|Desc=rbot.exe
"TCP Query User{9EB95885-F0EE-491A-91FD-23B5D3C73F54}C:\program files\last.fm\lastfm.exe"= UDP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"UDP Query User{6930FAF0-A87B-41DF-81AF-ADEDAFF8A596}C:\program files\last.fm\lastfm.exe"= TCP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"TCP Query User{3A25ED4D-F416-4D4A-91E8-DB3C92EA878F}C:\program files\last.fm\lastfm.exe"= UDP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"UDP Query User{DE8EDADD-D37D-4EC0-860D-D675C6AC8F44}C:\program files\last.fm\lastfm.exe"= TCP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"{677316DA-7DE3-4AFE-AC61-DCBB0AAA15C8}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{070587DB-C900-427C-B8CD-88DBC9C9CEB1}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{9D0CD623-5265-4F5E-8DC7-73B2FA84C1A5}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{11C7E1FC-22AE-4464-B8FC-8DCD1B432FD1}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"TCP Query User{23390609-A07B-4C86-80F8-FD7F4695E5F1}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{9609D59E-F1D9-4118-994E-F4BBC0A8090D}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 ntcdrdrv;ntcdrdrv;C:\Windows\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 10:42]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-12-04 15:52]
R3 L6DP;L6DP;C:\Windows\system32\Drivers\l6dp.sys [2007-01-30 02:22]
R3 L6TPortB;Service - Line 6 TonePort UX2;C:\Windows\system32\Drivers\L6TPortB.sys [2007-01-30 02:17]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 08:30]
S3 kvpndev;Kerio VPN adapter;C:\Windows\system32\DRIVERS\kvpndrv.sys [2007-05-25 14:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eedb914-ab76-11dc-b46c-000129d2a37e}]
\shell\AutoRun\command - G:\
\shell\open\Command - rundll32.exe .\desktop.dll,InstallM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e91f33ee-50fe-11dc-8aa3-806e6f6e6963}]
\shell\AutoRun\command - F:\App/Menu.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 07:34:50
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 7:37:02
ComboFix-quarantined-files.txt 2008-03-09 06:36:54
.
2008-02-21 23:35:03 --- E O F ---


hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:41:21, on 2008-03-09
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\sysockeu.exe
C:\Windows\sysodkcs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Users\Piotrek\Desktop\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" Z
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\Windows\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\Windows\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\Windows\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\Windows\sysokuaw.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Show missed alarms] C:\Program Files\Alarm\Alarm.exe
O4 - HKCU\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 11333 bytes
  • 0

#7
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Windows\sysockeu.exe
C:\Windows\sysodkcs.exe
C:\Windows\sysokuaw.exe
C:\Windows\sysoghcx.exe
C:\Windows\sysounrk.exe
C:\Windows\sysounrk.exe
C:\Windows\ftebh.exe
C:\Windows\config.ini
C:\Windows\fbdzj.exe
C:\Windows\fzmxg.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1029BB4B-16A9-4E77-AA3D-96930BD68EEC"=-
"852EBF20-A95D-4F1F-B9C2-B2CD24350F3E"=-
"756349DC-6D9E-4F2A-9B24-269661F073C3"=-
"2177F056-0AA6-4D6C-A944-13F71F341C29"=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#8
piotramp

piotramp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:22, on 2008-03-09
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Piotrek\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" Z
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Show missed alarms] C:\Program Files\Alarm\Alarm.exe
O4 - HKCU\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 10983 bytes






ComboFix 08-03-08.2 - Piotrek 2008-03-09 11:19:50.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1250.1.1033.18.328 [GMT 1:00]
Running from: C:\Users\Piotrek\Desktop\ComboFix.exe
Command switches used :: C:\Users\Piotrek\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\config.ini
C:\Windows\fbdzj.exe
C:\Windows\ftebh.exe
C:\Windows\fzmxg.dll
C:\Windows\sysockeu.exe
C:\Windows\sysodkcs.exe
C:\Windows\sysoghcx.exe
C:\Windows\sysokuaw.exe
C:\Windows\sysounrk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\config.ini
C:\Windows\fbdzj.exe
C:\Windows\ftebh.exe
C:\Windows\fzmxg.dll
C:\Windows\sysockeu.exe
C:\Windows\sysodkcs.exe
C:\Windows\sysoghcx.exe
C:\Windows\sysokuaw.exe
C:\Windows\sysounrk.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-06 17:48 . 2008-03-06 17:48 <DIR> d-------- C:\Program Files\Uniblue
2008-03-06 15:25 . 2008-03-06 15:25 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-03-06 15:25 . 2008-03-06 15:25 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-03-06 15:23 . 2008-03-06 15:23 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\SUPERAntiSpyware.com
2008-03-06 15:23 . 2008-03-06 15:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-06 15:02 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-03-06 15:02 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-03-06 15:02 . 2008-02-01 12:55 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-03-06 15:02 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-03-06 15:01 . 2008-03-06 15:01 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\PC Tools
2008-03-06 15:01 . 2008-03-06 17:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-06 14:35 . 2008-03-06 14:43 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:56 <DIR> d-------- C:\Users\All Users\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:56 <DIR> d-------- C:\ProgramData\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:55 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-06 14:35 . 2008-03-06 14:35 138,752 --a------ C:\Windows\System32\drivers\sp_rsdrv2.sys
2008-03-06 13:58 . 2008-03-06 13:58 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-03-06 13:57 . 2008-03-09 11:13 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-03-06 13:57 . 2008-03-09 11:13 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-03-05 23:53 . 2008-03-05 23:53 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Grisoft
2008-03-05 23:50 . 2008-03-05 23:50 <DIR> d-------- C:\Users\All Users\Grisoft
2008-03-05 23:50 . 2008-03-05 23:50 <DIR> d-------- C:\ProgramData\Grisoft
2008-03-05 23:50 . 2007-05-30 13:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-03-05 23:35 . 2008-03-05 23:35 3,932,214 --a------ C:\Windows\mywallpaper.bmp
2008-02-27 00:40 . 2008-02-27 00:40 <DIR> d-------- C:\Program Files\Gadu-Gadu
2008-02-22 10:01 . 2008-02-22 10:14 <DIR> d-------- C:\Program Files\Opanda
2008-02-21 01:01 . 2008-02-21 01:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-20 22:48 . 2008-02-20 23:03 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Nikon
2008-02-20 22:39 . 2008-02-25 19:52 20 ---h----- C:\Users\All Users\PKP_DLdw.DAT
2008-02-20 22:39 . 2008-02-25 19:52 20 ---h----- C:\ProgramData\PKP_DLdw.DAT
2008-02-20 22:36 . 2008-02-20 22:36 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-02-20 22:35 . 2008-02-20 22:35 <DIR> d-------- C:\Users\All Users\Nikon
2008-02-20 22:35 . 2008-02-20 22:35 <DIR> d-------- C:\ProgramData\Nikon
2008-02-20 22:35 . 2008-02-20 22:39 <DIR> d-------- C:\Program Files\Nikon
2008-02-20 22:35 . 2008-02-20 22:51 <DIR> d-------- C:\Program Files\Common Files\Nikon
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\Users\All Users\Ultima_T15
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\Users\All Users\EnterNHelp
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\ProgramData\Ultima_T15
2008-02-20 22:34 . 2008-02-20 22:39 <DIR> d-------- C:\ProgramData\EnterNHelp
2008-02-20 22:34 . 2008-02-25 19:26 20 ---h----- C:\Users\All Users\PKP_DLdu.DAT
2008-02-20 22:34 . 2008-02-25 19:26 20 ---h----- C:\ProgramData\PKP_DLdu.DAT
2008-02-20 02:10 . 2008-02-20 02:10 <DIR> d-------- C:\Program Files\Phun
2008-02-20 02:04 . 2008-02-20 02:05 <DIR> d-------- C:\Users\Piotrek\AppData\Roaming\Ventrilo
2008-02-15 00:10 . 2008-02-15 00:10 <DIR> d-------- C:\Program Files\Ventrilo
2008-02-14 01:13 . 2008-02-14 01:13 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-14 01:13 . 2008-02-14 01:13 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-14 01:11 . 2008-02-14 01:11 1,585,664 --a------ C:\Windows\System32\setupapi.dll
2008-02-14 01:11 . 2008-02-14 01:11 613,888 --a------ C:\Windows\System32\wpd_ci.dll
2008-02-14 01:11 . 2008-02-14 01:11 558,080 --a------ C:\Windows\System32\oleaut32.dll
2008-02-14 01:11 . 2008-02-14 01:11 260,096 --a------ C:\Windows\System32\dpx.dll
2008-02-14 01:11 . 2008-02-14 01:11 224,824 --a------ C:\Windows\System32\clfs.sys
2008-02-14 01:11 . 2008-02-14 01:11 221,696 --a------ C:\Windows\System32\umpnpmgr.dll
2008-02-14 01:11 . 2008-02-14 01:11 101,888 --a------ C:\Windows\System32\drvinst.exe
2008-02-14 01:11 . 2008-02-14 01:11 19,456 --a------ C:\Windows\System32\cfgmgr32.dll
2008-02-14 01:11 . 2008-02-14 01:11 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-02-14 01:07 . 2008-02-14 01:07 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-14 01:07 . 2008-02-14 01:07 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-14 01:07 . 2008-02-14 01:07 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-14 01:07 . 2008-02-14 01:07 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-14 01:07 . 2008-02-14 01:07 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-14 01:07 . 2008-02-14 01:07 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-14 01:07 . 2008-02-14 01:07 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-02-14 01:06 . 2008-02-14 01:06 806,400 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-14 01:06 . 2008-02-14 01:06 217,144 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-14 01:06 . 2008-02-14 01:06 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-14 01:06 . 2008-02-14 01:06 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-14 01:06 . 2008-02-14 01:06 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-14 01:05 . 2008-02-14 01:05 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 01:05 . 2008-02-14 01:05 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\peanut

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 10:15 --------- d-----w C:\Users\Piotrek\AppData\Roaming\Skype
2008-03-09 10:12 --------- d---a-w C:\ProgramData\TEMP
2008-03-09 10:10 350,468 ---ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-03-09 07:01 --------- d-----w C:\Users\Piotrek\AppData\Roaming\skypePM
2008-03-06 15:49 351,744 ----a-w C:\Windows\Internet Logs\xDB8C61.tmp
2008-03-06 14:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-04 22:32 --------- d-----w C:\Program Files\Warcraft III
2008-02-28 22:18 1,488,384 ----a-w C:\Windows\Internet Logs\xDB97AC.tmp
2008-02-14 00:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 00:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 00:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 00:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 00:02 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-14 00:02 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-14 00:02 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-14 00:02 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-13 17:35 1,934,478 ----a-w C:\Windows\Internet Logs\tvDebug.zip
2008-02-04 19:11 --------- d-----w C:\ProgramData\Poszukiwacze Zaginionej Warszawy
2008-02-04 18:43 --------- d-----w C:\Program Files\Warszawa
2008-02-03 22:26 --------- d-----w C:\Program Files\AusLogics BoostSpeed
2008-02-03 19:46 --------- d-----w C:\Program Files\Softland
2008-02-03 19:42 --------- d-----w C:\Program Files\FreeMind
2008-02-02 20:20 1,410,560 ----a-w C:\Windows\Internet Logs\xDB8BF4.tmp
2008-02-02 19:00 32 ----a-w C:\Users\All Users\ezsid.dat
2008-02-02 19:00 32 ----a-w C:\ProgramData\ezsid.dat
2008-02-02 18:58 --------- d-----w C:\ProgramData\Skype
2008-02-02 18:58 --------- d-----w C:\Program Files\Skype
2008-02-02 18:58 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-28 06:00 2,715,648 ----a-w C:\Windows\Internet Logs\xDB885A.tmp
2008-01-19 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 15:07 --------- d-----w C:\Program Files\Linksys
2008-01-19 15:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-19 13:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-09 00:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 00:17 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 00:06 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 00:06 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 00:06 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-08 21:33 1,379,328 ----a-w C:\Windows\Internet Logs\xDBE29F.tmp
2007-12-28 23:43 1,366,528 ----a-w C:\Windows\Internet Logs\xDB921E.tmp
2007-12-12 00:09 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 00:09 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 00:09 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-08-30 04:18 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( [email protected]_ 7.35.56,64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-09 05:37:59 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-03-09 10:10:37 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-03-09 06:05:37 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-03-09 10:14:56 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-03-08 23:01:03 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-03-09 10:14:30 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-03-09 06:23:37 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-03-09 06:41:31 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-03-08 23:00:58 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-03-09 10:14:23 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-03-09 06:10:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-03-09 10:25:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-09 06:10:49 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-09 10:25:22 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-09 06:10:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-09 10:25:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-08 15:07:11 8,136 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-626618699-1994527308-801062002-1000_UserData.bin
+ 2008-03-09 10:14:55 8,152 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-626618699-1994527308-801062002-1000_UserData.bin
- 2008-03-08 15:07:10 61,318 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-09 10:14:54 61,446 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-03-08 19:12:26 41,000 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-03-09 10:14:37 41,200 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-03-09 05:38:02 246,970 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2008-03-09 08:52:34 247,672 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 13:35 2159104 C:\Windows\System32\oobefldr.dll]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2005-09-03 14:18 94208]
"Show missed alarms"="C:\Program Files\Alarm\Alarm.exe" [2006-09-12 14:12 253984]
"Network Drive Mapping Utility"="C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" [2007-08-24 10:55 286336]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 11:54 2131392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-23 00:22 1006264]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 15:49 77824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Windows\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10 271360]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-11 22:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-11 22:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-11 22:28 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-04 05:24 960240]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 22:26 68640]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Network Drive Mapping Utility"="C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" [2007-08-24 10:55 286336]
"RegistryMechanic"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]

C:\Users\Piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-06-14 19:39:18 479232]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{F660E819-41D8-457B-8AC5-C030914B6AB0}C:\program files\gadu-gadu\gg.exe"= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"UDP Query User{6C91CB71-A27B-4F49-8954-35FFA4398B5C}C:\program files\gadu-gadu\gg.exe"= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"TCP Query User{7F3B179E-83E4-4E34-BDFC-48D0CDC1F232}C:\program files\gadu-gadu\gg.exe"= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"UDP Query User{B1EC7833-FEFD-4406-A4E6-383987B24817}C:\program files\gadu-gadu\gg.exe"= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny|Desc=Gadu-Gadu - program główny
"TCP Query User{2C8AADE8-71F7-42BC-B0B7-DA00C50D0E0F}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{8FC3C74F-C1F1-4ECB-9D16-3B01B3C04905}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{A6439DEE-64D3-4EDB-BEA2-0CEF2274AD59}C:\program files\emule\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"UDP Query User{F441AFB9-8050-4A4D-84B5-2EC646131840}C:\program files\emule\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"TCP Query User{58216B4C-23A9-49D9-ACB4-AAA066FB7566}C:\program files\emule\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"UDP Query User{3926461B-43B3-4FD9-B5BB-B0105640F174}C:\program files\emule\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule|Desc=eMule
"TCP Query User{45087D7F-BFA0-40AE-8717-6221C3AD26D3}C:\program files\opera\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"UDP Query User{7BF067AB-864C-4383-9063-E97D0CD845F8}C:\program files\opera\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"TCP Query User{12C43768-FEB8-42E4-9CFF-BBE239D35D4B}C:\program files\opera\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"UDP Query User{5E2CA1C9-D734-4271-B266-F0ADE6A0A495}C:\program files\opera\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser|Desc=Opera Internet Browser
"TCP Query User{91AA4285-FDF7-48A7-AD1C-9B083229CDAE}C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe"= UDP:C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe:rbot.exe|Desc=rbot.exe
"UDP Query User{44385FD4-115D-41FE-AB6F-8EE8A8218D9C}C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe"= TCP:C:\users\piotrek\appdata\local\temp\ixp000.tmp\rbot.exe:rbot.exe|Desc=rbot.exe
"TCP Query User{9EB95885-F0EE-491A-91FD-23B5D3C73F54}C:\program files\last.fm\lastfm.exe"= UDP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"UDP Query User{6930FAF0-A87B-41DF-81AF-ADEDAFF8A596}C:\program files\last.fm\lastfm.exe"= TCP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"TCP Query User{3A25ED4D-F416-4D4A-91E8-DB3C92EA878F}C:\program files\last.fm\lastfm.exe"= UDP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"UDP Query User{DE8EDADD-D37D-4EC0-860D-D675C6AC8F44}C:\program files\last.fm\lastfm.exe"= TCP:C:\program files\last.fm\lastfm.exe:Last.fm|Desc=Last.fm
"{677316DA-7DE3-4AFE-AC61-DCBB0AAA15C8}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{070587DB-C900-427C-B8CD-88DBC9C9CEB1}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{9D0CD623-5265-4F5E-8DC7-73B2FA84C1A5}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{11C7E1FC-22AE-4464-B8FC-8DCD1B432FD1}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"TCP Query User{23390609-A07B-4C86-80F8-FD7F4695E5F1}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{9609D59E-F1D9-4118-994E-F4BBC0A8090D}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 ntcdrdrv;ntcdrdrv;C:\Windows\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 10:42]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-12-04 15:52]
R3 L6DP;L6DP;C:\Windows\system32\Drivers\l6dp.sys [2007-01-30 02:22]
R3 L6TPortB;Service - Line 6 TonePort UX2;C:\Windows\system32\Drivers\L6TPortB.sys [2007-01-30 02:17]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 08:30]
S3 kvpndev;Kerio VPN adapter;C:\Windows\system32\DRIVERS\kvpndrv.sys [2007-05-25 14:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eedb914-ab76-11dc-b46c-000129d2a37e}]
\shell\AutoRun\command - G:\
\shell\open\Command - rundll32.exe .\desktop.dll,InstallM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e91f33ee-50fe-11dc-8aa3-806e6f6e6963}]
\shell\AutoRun\command - F:\App/Menu.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 11:27:48
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 11:29:41
ComboFix-quarantined-files.txt 2008-03-09 10:29:34
ComboFix2.txt 2008-03-09 06:37:06
.
2008-02-21 23:35:03 --- E O F ---
  • 0

#9
piotramp

piotramp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
everything seems quite normal now. no pop-ups, no information..
cackgroud i have changed manually so it's also normal now :)

THANK YOU!
  • 0

#10
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
There are still a few things that dont look right.
It looks like your firewall and antivirus are turned off. Can you please check them.
I'd also like to do a virus scan to make sure there is nothing hiding. If we get the all clean, I'll give you some free tools and information. :)

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#11
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP